1. Technical Field of the Invention
The present invention relates in general to network security, and in particular, to identifying malicious sources within networks.
2. Description of Related Art
Network security is an important part of any network infrastructure. Network administrators adopt policies and implement various measures to prevent unauthorized access and protect networks against attackers who send spam, release worms or perform other illegal actions using the network. The most common way to secure a network is to allow access only from known, authenticated users using an authentication process, e.g., user name and password. However, this approach provides no security against “sniffing” and attackers can easily spoof legitimate network addresses. In addition, authentication procedures do not check the content of messages, and therefore, provide no protection against potentially harmful content, such as computer worms being transmitted over the network.
Another network security measure commonly used in networks is an intrusion prevention system (IPS). An IPS is a network device that monitors the network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. A network-based IPS, for example, will operate in-line to monitor all network traffic for malicious codes or attacks. When an attack is detected, the IPS can drop the malicious packets, while still allowing other traffic to pass.
However, it is relatively easy for worms to change signatures. Therefore, IPS devices that use signature-based methods to detect worms are useless against zero-day attacks. In addition, IPS devices have had difficulty detecting stealth network worms. Stealth worms pose a major threat to Internet users and on-line businesses in that they are typically the vehicle of choice for many identity theft and financial fraud attackers. Stealth worms evade detection by minimizing the number of packets they send. For example, a stealth worm may perform target discovery to identify new victim hosts by sending packets at a very low rate, for instance, a few packets per week. Since the rate of malicious packets is low as compared to normal traffic in a network, it is difficult for traditional IPS devices to detect stealth worms using traditional traffic anomaly analysis methods. Detection of stealth worms can be improved by increasing the sensitivity of IPS devices to traffic anomalies. However, increasing the detection sensitivity also leads to a high rate of false positives.
In addition to an IPS, some networks utilize honeypots, which are essentially decoy network-accessible resources that are deployed in a network as surveillance and early-warning tools. A honeypot is typically a standalone host which presents itself to the network as a server that provides a specific service (i.e., web server, mail server, etc.). Honeypots are passive by nature, waiting for a worm to send packets to them. The techniques used by attackers that attempt to compromise the honeypot are studied during and after an attack to help tighten the security provided by the IPS. However, many worms, especially stealth worms, are able to detect honeypots, and therefore, avoid sending packets to the honeypots.